Skip to content

Fix mysql password #3235

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 13 commits into
base: main
Choose a base branch
from
Open

Fix mysql password #3235

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
d3dd945
Set more grep-able passwords in CI jobs, drop domjudge user
eldering Nov 27, 2025
88ba0bc
Set more greppable admin password
eldering Nov 27, 2025
fe688f2
Use mysql credentials from `~/.my.cnf`
eldering Nov 28, 2025
98dc0e5
URL encode variables that go into a MySQL credentials URI
eldering Aug 25, 2024
b997b2b
Fixes for supporting passwords with weird characters
eldering Nov 22, 2024
e2030d2
Test plenty of weird characters in CI job MySQL password
eldering Aug 25, 2024
3bea86d
Consistency: use mysql_log and credentials already set in baseinstall.sh
eldering Nov 28, 2025
c147be7
Create the domjudge DB user with wildcard hostname
eldering Nov 28, 2025
1510732
Use our standard script to create database
eldering Nov 28, 2025
fc44d08
Prevent double _test database suffix
eldering Nov 28, 2025
51894fe
Call read_dbpasswords outside of update_passwords function
eldering Jul 5, 2025
2fd0d50
Don't pass DBUSER/PASSWD to symfony_console, always construct URL
eldering Nov 25, 2024
fa5654a
Add " and some non-ASCII characters to database password in CI tests
eldering Nov 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
62 changes: 28 additions & 34 deletions .github/jobs/baseinstall.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,6 @@ export APP_ENV="${4:-prod}"
# In the test environment, we need to use a different database
[ "$APP_ENV" = "prod" ] && DATABASE_NAME=domjudge || DATABASE_NAME=domjudge_test

MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD:-root}

set -euxo pipefail

if [ -z "$phpversion" ]; then
Expand All @@ -34,9 +32,9 @@ yarnpkg install
cd ..
section_end

section_start "Set simple admin password"
echo "password" > ./etc/initial_admin_password.secret
echo "default login admin password password" > ~/.netrc
section_start "Set admin password"
echo "${ADMIN_PASSWORD}" > ./etc/initial_admin_password.secret
echo "default login admin password ${ADMIN_PASSWORD}" > ~/.netrc
section_end

section_start "Install domserver"
Expand Down Expand Up @@ -74,34 +72,30 @@ EOF
cat ~/.my.cnf

# TODO: Remove after fixing https://github.com/DOMjudge/domjudge/issues/2848
mysql_root "SET GLOBAL innodb_snapshot_isolation = OFF;"
mysql_log "SET GLOBAL innodb_snapshot_isolation = OFF;"

echo "unused:sqlserver:$DATABASE_NAME:domjudge:"'domjudge_db-pw+% #$*")@(!/;,.ßéçü主機:3306' > /opt/domjudge/domserver/etc/dbpasswords.secret

mysql_root "CREATE DATABASE IF NOT EXISTS \`$DATABASE_NAME\` DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
mysql_root "CREATE USER IF NOT EXISTS \`domjudge\`@'%' IDENTIFIED BY 'domjudge';"
mysql_root "GRANT SELECT, INSERT, UPDATE, DELETE ON \`$DATABASE_NAME\`.* TO 'domjudge'@'%';"
mysql_root "FLUSH PRIVILEGES;"
/opt/domjudge/domserver/bin/dj_setup_database create-db-users

# Show some MySQL debugging
mysql_root "show databases"
mysql_root "SELECT CURRENT_USER();"
mysql_root "SELECT USER();"
mysql_root "SELECT user,host FROM mysql.user"
mysql_root "SET GLOBAL max_allowed_packet=1073741824"
mysql_root "SHOW GLOBAL STATUS LIKE 'Connection_errors_%'"
mysql_root "SHOW VARIABLES LIKE 'innodb_snapshot_isolation'"
mysql_root "SHOW VARIABLES LIKE '%_timeout'"
echo "unused:sqlserver:$DATABASE_NAME:domjudge:domjudge:3306" > /opt/domjudge/domserver/etc/dbpasswords.secret
mysql_user "SELECT CURRENT_USER();"
mysql_user "SELECT USER();"
mysql_log "show databases"
mysql_log "SELECT CURRENT_USER();"
mysql_log "SELECT USER();"
mysql_log "SELECT user,host FROM mysql.user"
mysql_log "SET GLOBAL max_allowed_packet=1073741824"
mysql_log "SHOW GLOBAL STATUS LIKE 'Connection_errors_%'"
mysql_log "SHOW VARIABLES LIKE '%_timeout'"
section_end

if [ "${db}" = "install" ]; then
section_start "Install DOMjudge database"
/opt/domjudge/domserver/bin/dj_setup_database -uroot -p${MYSQL_ROOT_PASSWORD} bare-install
/opt/domjudge/domserver/bin/dj_setup_database bare-install
section_end
elif [ "${db}" = "upgrade" ]; then
section_start "Upgrade DOMjudge database"
/opt/domjudge/domserver/bin/dj_setup_database -uroot -p${MYSQL_ROOT_PASSWORD} upgrade
/opt/domjudge/domserver/bin/dj_setup_database upgrade
/opt/domjudge/domserver/webapp/bin/console domjudge:reset-user-password admin "${ADMIN_PASSWORD}"
section_end
fi

Expand Down Expand Up @@ -141,31 +135,31 @@ if [ "${db}" = "install" ]; then
section_start "Install the example data"
if [ "$version" = "unit" ]; then
# Make sure admin has no team associated so we will not insert submissions during unit tests.
mysql_root "UPDATE user SET teamid=null WHERE userid=1;" $DATABASE_NAME
mysql_log "UPDATE user SET teamid=null WHERE userid=1;" $DATABASE_NAME
fi
/opt/domjudge/domserver/bin/dj_setup_database -uroot -p${MYSQL_ROOT_PASSWORD} install-examples | tee -a "$ARTIFACTS/mysql.txt"
/opt/domjudge/domserver/bin/dj_setup_database install-examples | tee -a "$ARTIFACTS/mysql.txt"
section_end
fi

section_start "Setup user"
# We're using the admin user in all possible roles
mysql_root "DELETE FROM userrole WHERE userid=1;" $DATABASE_NAME
mysql_log "DELETE FROM userrole WHERE userid=1;" $DATABASE_NAME
if [ "$version" = "team" ]; then
# Add team to admin user
mysql_root "INSERT INTO userrole (userid, roleid) VALUES (1, 3);" $DATABASE_NAME
mysql_root "UPDATE user SET teamid = 1 WHERE userid = 1;" $DATABASE_NAME
mysql_log "INSERT INTO userrole (userid, roleid) VALUES (1, 3);" $DATABASE_NAME
mysql_log "UPDATE user SET teamid = 1 WHERE userid = 1;" $DATABASE_NAME
elif [ "$version" = "jury" ]; then
# Add jury to admin user
mysql_root "INSERT INTO userrole (userid, roleid) VALUES (1, 2);" $DATABASE_NAME
mysql_log "INSERT INTO userrole (userid, roleid) VALUES (1, 2);" $DATABASE_NAME
elif [ "$version" = "balloon" ]; then
# Add balloon to admin user
mysql_root "INSERT INTO userrole (userid, roleid) VALUES (1, 4);" $DATABASE_NAME
mysql_log "INSERT INTO userrole (userid, roleid) VALUES (1, 4);" $DATABASE_NAME
elif [ "$version" = "admin" ]; then
# Add admin to admin user
mysql_root "INSERT INTO userrole (userid, roleid) VALUES (1, 1);" $DATABASE_NAME
mysql_log "INSERT INTO userrole (userid, roleid) VALUES (1, 1);" $DATABASE_NAME
elif [ "$version" = "all" ] || [ "$version" = "unit" ]; then
mysql_root "INSERT INTO userrole (userid, roleid) VALUES (1, 1);" $DATABASE_NAME
mysql_root "INSERT INTO userrole (userid, roleid) VALUES (1, 3);" $DATABASE_NAME
mysql_root "UPDATE user SET teamid = 1 WHERE userid = 1;" $DATABASE_NAME
mysql_log "INSERT INTO userrole (userid, roleid) VALUES (1, 1);" $DATABASE_NAME
mysql_log "INSERT INTO userrole (userid, roleid) VALUES (1, 3);" $DATABASE_NAME
mysql_log "UPDATE user SET teamid = 1 WHERE userid = 1;" $DATABASE_NAME
fi
section_end
9 changes: 2 additions & 7 deletions .github/jobs/ci_settings.sh
100644 → 100755
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,14 +24,9 @@ section_end_internal () {
trace_on
}

mysql_root () {
mysql_log () {
# shellcheck disable=SC2086
echo "$1" | mysql -uroot -proot ${2:-} | tee -a "$ARTIFACTS"/mysql.txt
}

mysql_user () {
# shellcheck disable=SC2086
echo "$1" | mysql -udomjudge -pdomjudge ${2:-} | tee -a "$ARTIFACTS"/mysql.txt
echo "$1" | mysql ${2:-} | tee -a "$ARTIFACTS"/mysql.txt
}

show_phpinfo() {
Expand Down
6 changes: 4 additions & 2 deletions .github/jobs/unit-tests.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ unittest=$2
export unit=1

# Add team to admin user
echo "UPDATE user SET teamid = 1 WHERE userid = 1;" | mysql domjudge_test
mysql_log "UPDATE user SET teamid = 1 WHERE userid = 1;" domjudge_test

# Copy the .env.test file, as this is normally not done during
# installation and we need it.
Expand All @@ -25,6 +25,9 @@ cp webapp/composer.json /opt/domjudge/domserver/webapp/

cd /opt/domjudge/domserver

# The tests add a '_test' suffix to the database name already.
sed -i "s!:domjudge_test:!:domjudge:!" /opt/domjudge/domserver/etc/dbpasswords.secret

# Run phpunit tests.
pcov=""
phpcov=""
Expand All @@ -33,7 +36,6 @@ if [ "$CODECOVERAGE" -eq 1 ]; then
pcov="--coverage-html=${DIR}/coverage-html --coverage-clover coverage.xml"
fi
set +e
echo "unused:sqlserver:domjudge:domjudge:domjudge:3306" > /opt/domjudge/domserver/etc/dbpasswords.secret
php $phpcov webapp/bin/phpunit -c webapp/phpunit.xml.dist webapp/tests/$unittest --log-junit ${ARTIFACTS}/unit-tests.xml --colors=never $pcov | tee "$ARTIFACTS"/phpunit.out
UNITSUCCESS=$?

Expand Down
5 changes: 2 additions & 3 deletions .github/jobs/webstandard.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,19 +20,18 @@ section_start "Setup pa11y"
section_end

section_start "Setup the test user"
ADMINPASS=$(cat etc/initial_admin_password.secret)
export COOKIEJAR
COOKIEJAR=$(mktemp --tmpdir)
export CURLOPTS="--fail -sq -m 30 -b $COOKIEJAR"
if [ "$ROLE" = "public" ]; then
ADMINPASS="failedlogin"
ADMIN_PASSWORD="failedlogin"
fi

# Make an initial request which will get us a session id, and grab the csrf token from it
CSRFTOKEN=$(curl $CURLOPTS -c $COOKIEJAR "http://localhost/domjudge/login" 2>/dev/null | sed -n 's/.*_csrf_token.*value="\(.*\)".*/\1/p')
# Make a second request with our session + csrf token to actually log in
# shellcheck disable=SC2086
curl $CURLOPTS -c "$COOKIEJAR" -F "_csrf_token=$CSRFTOKEN" -F "_username=admin" -F "_password=$ADMINPASS" "http://localhost/domjudge/login"
curl $CURLOPTS -c "$COOKIEJAR" -F "_csrf_token=$CSRFTOKEN" -F "_username=admin" -F "_password=$ADMIN_PASSWORD" "http://localhost/domjudge/login"

# Move back to the default directory
cd "$DIR"
Expand Down
15 changes: 7 additions & 8 deletions .github/workflows/database-upgrade.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@ on:
jobs:
upgrade_test:
runs-on: ubuntu-latest
env:
ADMIN_PASSWORD: admin_password
MYSQL_ROOT_PASSWORD: mysql_root_password
container:
image: domjudge/gitlabci:24.04
services:
Expand All @@ -17,9 +20,7 @@ jobs:
ports:
- 3306:3306
env:
MYSQL_ROOT_PASSWORD: root
MYSQL_USER: domjudge
MYSQL_PASSWORD: domjudge
MYSQL_ROOT_PASSWORD: ${{ env.MYSQL_ROOT_PASSWORD }}
options: --health-cmd="healthcheck.sh --connect --innodb_initialized" --health-interval=10s --health-timeout=5s --health-retries=3
steps:
- uses: actions/checkout@v4
Expand All @@ -38,18 +39,16 @@ jobs:
restore-keys: |
composer-
- name: Import Database
run: mysql -hsqlserver -uroot -proot < .github/jobs/data/dj733.sql
run: mysql -hsqlserver -uroot -p${{ env.MYSQL_ROOT_PASSWORD }} < .github/jobs/data/dj733.sql
- name: Upgrade DOMjudge
run: .github/jobs/baseinstall.sh default upgrade
- name: Setting initial Admin Password
run: echo "pass" > /opt/domjudge/domserver/etc/initial_admin_password.secret
- name: Check for Errors in the Upgrade
run: mysql -hsqlserver -uroot -proot -e "SHOW TABLES FROM domjudge;"
run: mysql -hsqlserver -uroot -p${{ env.MYSQL_ROOT_PASSWORD }} -e "SHOW TABLES FROM domjudge;"
- name: Check for Errors in DOMjudge Webinterface
run: .github/jobs/webstandard.sh none admin
- name: dump the db
if: ${{ !cancelled() }}
run: mysqldump -uroot -proot --quick --max_allowed_packet=1024M domjudge > /tmp/db.sql
run: mysqldump -hsqlserver -uroot -p${{ env.MYSQL_ROOT_PASSWORD }} --quick --max_allowed_packet=1024M domjudge > /tmp/db.sql
- name: Upload database dump for debugging
if: ${{ !cancelled() }}
uses: actions/upload-artifact@v4
Expand Down
18 changes: 9 additions & 9 deletions .github/workflows/integration.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@ on:
jobs:
integration:
runs-on: ubuntu-24.04
env:
ADMIN_PASSWORD: admin_password
MYSQL_ROOT_PASSWORD: mysql_root_password
timeout-minutes: 30
container:
image: domjudge/gitlabci:24.04
Expand All @@ -19,9 +22,7 @@ jobs:
ports:
- 3306:3306
env:
MYSQL_ROOT_PASSWORD: root
MYSQL_USER: domjudge
MYSQL_PASSWORD: domjudge
MYSQL_ROOT_PASSWORD: ${{ env.MYSQL_ROOT_PASSWORD }}
options: --health-cmd="healthcheck.sh --connect --innodb_initialized" --health-interval=10s --health-timeout=5s --health-retries=3
steps:
- uses: actions/checkout@v4
Expand Down Expand Up @@ -57,11 +58,10 @@ jobs:
- name: Check nginx
run: curl -v https://localhost/domjudge/
- name: Configure print command
working-directory: submit
run: |
curl --fail -u 'admin:password' -X 'GET' 'http://localhost/domjudge/api/v4/config?strict=false' \
curl --fail -u "admin:${ADMIN_PASSWORD}" -X 'GET' 'http://localhost/domjudge/api/v4/config?strict=false' \
| jq '.print_command |= "cp [file] /tmp/dj-printfile"' \
| curl --fail -u 'admin:password' -X 'PUT' -T - 'http://localhost/domjudge/api/v4/config?strict=false' \
| curl --fail -u "admin:${ADMIN_PASSWORD}" -X 'PUT' -T - 'http://localhost/domjudge/api/v4/config?strict=false' \
- name: Testing submit client
working-directory: submit
run: make check-full
Expand Down Expand Up @@ -95,7 +95,7 @@ jobs:
done
- name: dump the db
if: ${{ !cancelled() }}
run: mysqldump -uroot -proot --quick --max_allowed_packet=1024M domjudge > /tmp/db.sql
run: mysqldump --quick --max_allowed_packet=1024M domjudge > /tmp/db.sql
- name: Upload database dump for debugging
if: ${{ !cancelled() }}
uses: actions/upload-artifact@v4
Expand Down Expand Up @@ -127,7 +127,7 @@ jobs:
# Make an initial request which will get us a session id, and grab the csrf token from it
CSRFTOKEN=$(curl $CURLOPTS -c /tmp/cookiejar "http://localhost/domjudge/login" | sed -n 's/.*_csrf_token.*value="\(.*\)".*/\1/p')
# Make a second request with our session + csrf token to actually log in
curl $CURLOPTS -c /tmp/cookiejar -F "_csrf_token=$CSRFTOKEN" -F "_username=admin" -F "_password=password" "http://localhost/domjudge/login"
curl $CURLOPTS -c /tmp/cookiejar -F "_csrf_token=$CSRFTOKEN" -F "_username=admin" -F "_password=${ADMIN_PASSWORD}" "http://localhost/domjudge/login"
# Send a general clarification to later test if we see the event.
curl $CURLOPTS -F "sendto=" -F "problem=1-" -F "bodytext=Testing" -F "submit=Send" \
"http://localhost/domjudge/jury/clarifications/send" -o /dev/null
Expand Down Expand Up @@ -172,4 +172,4 @@ jobs:
export CCS_SPECS_PINNED_SHA1='a68aff54c4e60fc2bff2fc5c36c119bffa4d30f1'
( cd ccs-specs && git reset --hard $CCS_SPECS_PINNED_SHA1 )
export CHECK_API="${HOME}/ccs-specs/check-api.sh -j ${HOME}/yajsv"
$CHECK_API -n -C -e -a 'strict=1' http://admin:password@localhost/domjudge/api
$CHECK_API -n -C -e -a 'strict=1' "http://admin:${ADMIN_PASSWORD}@localhost/domjudge/api"
7 changes: 4 additions & 3 deletions .github/workflows/unit-tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,9 @@ jobs:
permissions:
checks: write
runs-on: ubuntu-24.04
env:
ADMIN_PASSWORD: admin_password
MYSQL_ROOT_PASSWORD: mysql_root_password
timeout-minutes: 30
container:
image: domjudge/gitlabci:24.04
Expand All @@ -37,9 +40,7 @@ jobs:
ports:
- 3306:3306
env:
MYSQL_ROOT_PASSWORD: root
MYSQL_USER: domjudge
MYSQL_PASSWORD: domjudge
MYSQL_ROOT_PASSWORD: ${{ env.MYSQL_ROOT_PASSWORD }}
options: --health-cmd="healthcheck.sh --connect --innodb_initialized" --health-interval=10s --health-timeout=5s --health-retries=3
strategy:
matrix:
Expand Down
7 changes: 4 additions & 3 deletions .github/workflows/webstandard.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@ on:
jobs:
standards:
runs-on: ubuntu-latest
env:
ADMIN_PASSWORD: admin_password
MYSQL_ROOT_PASSWORD: mysql_root_password
container:
image: domjudge/gitlabci:24.04
services:
Expand All @@ -17,9 +20,7 @@ jobs:
ports:
- 3306:3306
env:
MYSQL_ROOT_PASSWORD: root
MYSQL_USER: domjudge
MYSQL_PASSWORD: domjudge
MYSQL_ROOT_PASSWORD: ${{ env.MYSQL_ROOT_PASSWORD }}
options: --health-cmd="healthcheck.sh --connect --innodb_initialized" --health-interval=10s --health-timeout=5s --health-retries=3
strategy:
matrix:
Expand Down
Loading
Loading